CSRF & Stored XSS reported by @iamrastating. Due to a lack of CSRF mitigation and entity encoding in the output generated by arabic-font.php and /inc/panel.php, it is possible to store and execute scripts in the context of an admin user.

REST API Bypass reported by Dewhurst Security. This vulnerability allows to perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request.

WP Security bulletin - NOVEMBER 2018 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 3 vulnerabilities in WordPress themes identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious...

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins: Form Maker by WD CSV Injection reported by Ryan (Dewhurst Security). Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part...

A MASSIVE distributed brute force attack campaign aimed only at WordPress sites started THIS MORNING at 3 AM UTC (Coordinated Universal Time), (3 AM United Kingdom, England; 4 AM Germany; 5 AM Romania). It uses a large number of attacking IPs, and each IP is generating a huge number of...

For your WordPress protection, be informed about the latest WordPress Core vulnerability, fixed in WordPress 4.9.2 Security and Maintenance Release from January 16, 2018. WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). MediaElement has released a new version that contains a fix for the...

For your WordPress protection, be informed about the latest vulnerabilities in WP plugins: AddToAny Share Buttons Conditional Host Header Injection reported by Paul Dannewitz. It's possible to inject a custom Host-Header, that will be used for building the link, which is going to be shared on Social Media platforms when...

A new kind of attack targets fresh WordPress installations. Attack starts with a scan after the "/wp-admin/setup-config.php" URL. This is the setup URL for any freshly installed WordPress. If the attackers find that URL and it contains a setup page, it indicates that someone has recently installed WordPress on the...

On 6 February, 2018, WordPress 4.9.4 was released to the public. This maintenance release fixes a severe bug in 4.9.3, which will cause sites that support automatic background updates to fail to update automatically, and will require manual action to be updated to 4.9.4. We strongly encourage you to update...

Infected code is loaded onto computers from the internet via the web browser, often unknown to the user, when they visit an infected website. These malware programs change browser settings, alter system files and create new default webpages. Typically, malware collects personal information or renders computer unusable. Several malware programs...

Social Engineering exploits Human interaction and commerce are increasingly digital, and threat actors are adapting to that reality. They are following shifting trends, usage patterns and popular interests to attack people through social media channels. Many of these attacks rely on social engineering. Others simply take advantage of inclinations for...

Constant Data Breaches expected throughout 2019 2018 Was Second-Most Active Year for Information Data Breaches. Hacking by external actors triggered most security breaches, however, Web invasions and exposures compromised more records. More than 6,500 security breaches were reported in 2018, according to a brand-new report from Risk Based Security shows....

7 WordPress Security Core Vulnerabilities in December 2018 For your WordPress Security, be informed about the NEW WP Core Vulnerabilities. Publicly known since its first official report on December 14, 2018. WordPress <= 5.0 - Authenticated File Delete Description: Karim El Ouerghemmi discovered that authors could alter meta data to...

WP Security bulletin - DECEMBER 2018 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 17 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress...